Re: Error 30 When Using HTTP Get or HTTP Request

2019-02-13 Thread Bruno LEGAY via 4D_Tech 
Hi.

> You can handle this on the 4D Side by lowering the minimum TLS version (shown 
> in the tech tip below) but it's not recommended:
> https://kb.4d.com/assetid=78102
This is a very good source of information (what TLS version is supported with 
what version of 4D, how to lower the bar with a security compromise, etc...).
Thanks Tim for pointing towards this tech note.

> Thanks, Tim and Bruno. You are both correct. This particular 
> organization's server uses SSL3 and supports only TLS 1.0.
> 
> Given that the site in question belongs to one of the five largest 
> museums in the world, I would rate my chances at getting them to 
> re-deploy their server platform at my request are between zero and nil.
I am amazed that some sites still use/accept SSL3. This is a big no no.
I would advise you to formally (email) warn you customer about the issue 
(provide the ssl lab report).
Let him know you are willing to adapt to lower security standard if no other 
option is possible on their side (their decision, they take the risk, not you).
IMOHO our duty is to warn customers of potential security risks. Then they take 
the risk if they want.
Just to cover you back...

Just curious, what was the rating with https://www.ssllabs.com/ssltest/ ?

Tip : if it is really bad use the option "Do not show the results on the 
boards" (not always good to shame your clients publicly, and attract attention) 
;-)

We have done a small web site for a big french institution (not a bank but very 
similar) which is very strict/uptight on security. We do the development work 
and devops for this.
PS : this is a LAMP stack with Laravel framework, syncing infos with a 4D 
backend. 
Even though the web site is small and hosted in a totally independent location 
(i.e. small risk), the company is applying its very strict approach, 
guidelines, rules on security.
Each release goes though a security audit done by a independent security audit 
company. Before the release there is a cycle (after functional validation) : 
security audit, fixes, and counter audit.
If the site does not pass the security audit, the site does not go in 
production. The security czar has the power to say NO. 
This is slow, time consuming, annoying, frustrating, etc... but we have 
improved the security for this project on each release (and gained experience).
On this site SSL3, TLS 1.0, TLS 1.1 are disabled. It is TLS 1.2 only, period. 
And ssllabs.com rating for this site : A+ :-)

Another tip for Linux / NGINX security settings :
https://mozilla.github.io/server-side-tls/ssl-config-generator/

Bruno LEGAY
A&C Consulting

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: Error 30 When Using HTTP Get or HTTP Request

2019-02-11 Thread Keisuke Miyako via 4D_Tech 
in case you missed it, the blog link that Tim posted
does explain how you can lower your TLS threshold on the 4D side
with SET DATABASE PARAMETER.

2019/02/12 8:15、4dinug via 4D_Tech 
<4d_tech@lists.4d.com>のメール:
I would rate my chances at getting them to re-deploy their server platform at 
my request are between zero and nil.



**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: Error 30 When Using HTTP Get or HTTP Request

2019-02-11 Thread 4dinug via 4D_Tech 
Thanks, Tim and Bruno. You are both correct. This particular 
organization's server uses SSL3 and supports only TLS 1.0.


Given that the site in question belongs to one of the five largest 
museums in the world, I would rate my chances at getting them to 
re-deploy their server platform at my request are between zero and nil.


Thanks again.

On 2/11/2019 12:29 PM, Timothy Penner wrote:

I agree with Bruno; the most likely answer is that the server does not support 
TLS 1,2 - use the site Bruno mentioned in order to test the server to see what 
TLS versions it supports.

Check out the blog post from October 2017 describing the change in 4D where we 
no longer allow connections to servers that do not support TLS 1.2:
https://blog.4d.com/more-security-for-your-4d-server/

You can handle this on the 4D Side by lowering the minimum TLS version (shown 
in the tech tip below) but it's not recommended:
https://kb.4d.com/assetid=78102

Honestly, you should ask the provider to update their software so that it 
supports TLS 1.2 as the older algorithms have vulnerabilities in them and you 
shouldn't enable them if you are concerned about security.

-Tim




Timothy Penner
Senior Technical Services Engineer

4D Inc
95 S. Market Street, Suite #240
CA 95113 San Jose
United States

Téléphone : +1-408-557-4600
Standard :  +1-408-557-4600
Fax :   +1-408-271-5080
Email : tpen...@4d.com
Web :   www.4D.com





-Original Message-
From: 4D_Tech <4d_tech-boun...@lists.4d.com> On Behalf Of Bruno LEGAY via 
4D_Tech
Sent: Monday, February 11, 2019 12:18 PM
To: 4d_tech@lists.4d.com
Cc: Bruno LEGAY 
Subject: Re: Error 30 When Using HTTP Get or HTTP Request

Hi,

Could be there that the SSL/TLS version of your server is not supported (too 
old or too new).

You can use nmap or online tools to check the configuration of the server...

https://www.ssllabs.com/ssltest/

This will give you a list of ciphers

HTH
Bruno LEGAY



**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

RE: Error 30 When Using HTTP Get or HTTP Request

2019-02-11 Thread Timothy Penner via 4D_Tech 
I agree with Bruno; the most likely answer is that the server does not support 
TLS 1,2 - use the site Bruno mentioned in order to test the server to see what 
TLS versions it supports.

Check out the blog post from October 2017 describing the change in 4D where we 
no longer allow connections to servers that do not support TLS 1.2:
https://blog.4d.com/more-security-for-your-4d-server/

You can handle this on the 4D Side by lowering the minimum TLS version (shown 
in the tech tip below) but it's not recommended:
https://kb.4d.com/assetid=78102

Honestly, you should ask the provider to update their software so that it 
supports TLS 1.2 as the older algorithms have vulnerabilities in them and you 
shouldn't enable them if you are concerned about security.

-Tim





-Original Message-
From: 4D_Tech <4d_tech-boun...@lists.4d.com> On Behalf Of Bruno LEGAY via 
4D_Tech
Sent: Monday, February 11, 2019 12:18 PM
To: 4d_tech@lists.4d.com
Cc: Bruno LEGAY 
Subject: Re: Error 30 When Using HTTP Get or HTTP Request

Hi,

Could be there that the SSL/TLS version of your server is not supported (too 
old or too new).

You can use nmap or online tools to check the configuration of the server...

https://www.ssllabs.com/ssltest/

This will give you a list of ciphers

HTH
Bruno LEGAY
**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: Error 30 When Using HTTP Get or HTTP Request

2019-02-11 Thread Bruno LEGAY via 4D_Tech 
Hi,

Could be there that the SSL/TLS version of your server is not supported (too 
old or too new).

You can use nmap or online tools to check the configuration of the server...

https://www.ssllabs.com/ssltest/

This will give you a list of ciphers

HTH
Bruno LEGAY


signature.asc
Description: Message signed with OpenPGP using GPGMail
**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Error 30 When Using HTTP Get or HTTP Request

2019-02-11 Thread 4dinug via 4D_Tech 
I am using v17R3 on Windows 10, and attempting to retrieve some 
resources from the web using HTTP Get() and HTTP Request() functions. 
Every attempt fails with an Error 30. Here is the contents of the arrays 
returned by GET LAST ERROR STACK:


*Code*  *Int Comp**
*   *Error description**
*
49
srvr
	SSL internal error : error:14077102:SSL 
routines:SSL23_GET_SERVER_HELLO:unsupported protocol

5
xbox
Access denied {path}
30  4DRT
Error #30

Attempting to retrieve the same resource from a web browser (e.g., 
Chrome) on the same machine is successful, so the problem is in 4D, not 
at the machine level.


Quitting 4D and restarting the database application had no effect.

There's  a thread from November where Bruno LeGay reported the same 
problem, but using v15.5 with  4D running as a service. Keisuke Miyako 
replied, saying something about DNS, but that can't be the issue here, 
since presumably 4D is using the same resolver that my web browser uses. 
Plus the error message returned says nothing about DNS, but rather 
indicates SSL issues as the source of the problem.


Any suggestions would be greatly appreciated.

Thanks.




**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**